The California County Supervisor Continues to Hide Behind Unrealistic 'Conditions' on His Sequoia Voting Machine 'Hack Challenge'
COLUMNIST: 'A test that doesn't allow the hacker to work on the machines as handled prior to the election and after it is no real test at all.'
By Brad Friedman on 1/18/2007, 5:14pm PT  

There were two fresh articles this week in the media on the Riverside Hack Challenge as initially reported by The BRAD BLOG after the throw-down by Riverside County Supervisor Jeff Stone to Election Integrity Advocates just before the holidays in early December.

You'll recall he bet "a thousand to one" that the county's touch-screen Sequoia voting system could not be hacked. He did so during a public meeting on video tape. If you don't recall, we'll summarize as briefly as we can. He challenged and the Election Integrity Advocates accepted, as noted voting machine hacker and computer security expert Harri Hursti agreed to take the challenge, and then Stone and the rest of the Riverside Supervisors began to go wobbly. Stone even went so far as to invent ridiculous, unrealistic, unilateral conditions for the hack test in a desperate letter sent to then-outgoing Secretary of State Bruce McPherson, in an apparent hope for a life line from the county's old, but now out-of-power, state ally up in Sacramento. He doesn't appear to have gotten one. The new SoS Debra Bowen's office has informally told The BRAD BLOG they see no legal hurdles to such an independent test of voting machine security.

But with internationally respected computer security experts such as Hursti and Dr. Herbert F. Thompson of Security Innovation (the author of some 12 books on the topic including How to Break Software Security: Effective Techniques for Security Testing and The Software Vulnerability Guide) and others having pointed out that Stone's unilaterally created conditions meant to simulate an attempted hack by a voter on election day were silly, unrealistic, and not the way such a penetration test would ever be carried out in the real world, Stone continues to cower behind them as reported by both media reports this week.

In doing so, Stone is tacitly admitting, of course, that his county's electronic voting systems --- which the Board of Supervisors and Riverside Registrar of Voters Barbara Dunmore have devoutly declared to be "secure" --- are, in fact, anything but.

They know damned well they are not. And their evidence-free claims to the contrary over the last 10 years or so are revealed as little more than unsubstantiated hot air now that their true lack of confidence in their own voting systems has been put on display for the world.

As they well know --- as do the Election Integrity advocates on the ground in Riverside --- the real threat to unsecured, hackable Electronic Voting Machines comes from insiders. That much has been written about time and again by computer security experts and in any number of reports on the topic. Even the biased and partisan and pro-electronic voting machine Baker/Carter Commission admitted as much when their final report on National Election Reform said, "Software can be modified maliciously before being installed into individual voting machines. There is no reason to trust insiders in the election industry any more than in other industries."

Revealed along with Stone's disingenuous "condition" in his letter to McPherson, that the hack tester may not "reach around the back of the machine" --- (Stone may have forgotten when he made his challenge initially that The BRAD BLOG had long ago reported that voters could vote as many times as they wanted on Sequoia touch-screen systems by merely pressing a yellow button on the back of the machine) --- the folks in Riverside have exposed themselves as knowing full well about the unreliability of their crappy, unsecured voting system.

Unless Stone allows a legitimate security penetration test to be held on his systems, as would occur in the commercial world for any such mission-critical, secure system, he is signaling to his constituents, the state of California, and America that even he has no confidence in the security of the equipment supplied to his voters to exercise their precious democratic franchise.

Two more reporters picked up the shameful tale this week in local media.

The Desert Sun's Nicole C. Brambila filed a short piece on Sunday headlined "Hacking debate gains traction" in which Stone and his pusillanimous peeps once again re-iterate the phony conditions for "no tools and no dismantling the machine. And, the hacker has to infiltrate the system in 15 minutes, the estimated time it takes a voter to do his or her civic duty."

We laugh knowingly in Stone's general direction. Even as he likely cries inside.

Of fresh note in Brambila's piece are these final grafs...

Verne Lauritzen, Stone's chief of staff, said Tuesday the blue ribbon committee supervisors formed will look at security breach issues. The hack, he said, should be attempted in the context of election night conditions.

"If there's somebody that can demonstrate that they can hack into the machines we want to know about it," he said. "And, then we'll be throwing away a lot of machines."

Of course, Lauritzen wants "to know about" no such thing. Otherwise, they would allow for a legitimate "red team" penetration hack test. If they did, we can only hope that Riverside County has plenty of landfill room still available.

And on Monday, the excellent syndicated columnist Tom D. Elias ran a piece which summarized the whole sorry story and reminded us of Stone's words as he wagered his "thousand to one" bet (which has been met, by the way, with $1000 as wagered by an assorted group of Election Integrity advocates).

"Maybe we should bring the media in and let's see if your programmer can manipulate that machine," Stone strutted. "My guess is that it is not gonna happen, but I'm willing to take a chance on that."

Having taken "a chance on that" with the challenge now accepted, it's time for the Riverside County Supervisors to put up or shut up.

Elias calls on them to do just that, writing that it's time for the County's electronic voting system to be put to the test and then noting:

No sooner had Stone's bet been accepted, however, than he, his fellow supervisors and the maker of some voting machines began to hedge. A spokeswoman for Sequoia Voting Systems suggested an unfettered test might violate the terms of her company's contract with the county.

Then Stone allowed that any would-be hacker should step up to a voting terminal as an ordinary voter might do in a real election. No one has ever suggested that ordinary voters can rig the machines. Instead, episodes of machines recording more votes than there are voters in a precinct, or reversing the tally of votes involve alleged manipulation of machines before or after votes are cast.
...
A test that doesn't allow the designated computer hacker to work on the machines as they might be handled prior to the election and after it is no real test at all.

As ever, Elias is dead on the money. And we continue to wait to see if the challengers will now follow through with their ill-advised boast which, if conducted legitimately, would do nothing less than actually serve their constituents very well.

If not, and if they continue to tacitly admit they've forced unsecured voting systems on their own constituents in which even the Supervisors do not have confidence, it's likely their legacy will be little more than to be ignominiously known throughout history as the Cowards of Riverside County.